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(54) AES Encryption circuit 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transformation; a 
Byte Sub transformation circuit (207) Into which the val- 
ues of the intermediate register/Shift Row transforma- 
tion circuit (206) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) into which the values of the intermediate reg- 
ister/Shift Row transformation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
formation circuit (21 0> that executes Mix Column trans- 
formation upon the outputs of the second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the interme- 
diate register/Shift Row transformation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transformation circuit (210). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
5 Technical Field 

[0001] The present Invention relates to an encryption circuit for implementing in hardware the Rijndael algorithm, 
which is the next generation common key block encryption standard, known as the AES (advanced encryption stand- 
ard), and wifl replace the current common.key block encryption standard In the US, called DES. 

10 

Description of Related Art 

[0002] A great variety of services are being considered that involve the Internet, Including electronic commerce and 

electronic money. These technologies are used not just in the daily Ih/es of individuate, but also in a wide range of 
is fields, Including transactions among corporations and Improving productivity. In particular, it is expected that encryption 

functions will be loaded onto smart cards, and mobile handsets, for the purpose of verifying the identity of Individuals, 

and that these technologies will be widely used for authentication, digital signatures, and data encryption. 

[0003] Common key cryptography Is used In these applications to prevent third parties from tapping on the Internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES (advanced 
20 encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the new standard. {The AES draft is available at http://Gsrc.nist. 

gov/pubilcations/drafts/dfips-AES.pdf) 

[0004] AES is a block cipher for processing in block lengths of 128 bit3, and the encryption algorithm, as shown in 
FIG. 1 , is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
25 unit 10. The roundfunction unit 20 comprises an input reglster21 that temporarily stores Input data, an XQR processing 
unit 22 that XORs the input data and expanded key segment, a round processing unit .23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transformation unit 31 , a Shift Row transformation unit 
32, a Mix Column transformation unit 33 and a Round Key Addition unit 34; the final round processing unit 24 performs 
30 the processing of the round processing unit 23 except forthe Mix Column transformation 33; it comprises a Byte Sub 
transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unit 10, and is defined as shown in Table 1 . 

35 ' [Table 1] . . . 



Key Length and Number of Rounds 


Key Length 


Nr. 


128bit 


10 


I92brt 


12 


256brt 


14 



[0007] Thus for each key length round processing is executed Nr-1 times, and at the end the final round processing 
is executed. When the key length is 123 bits, round processing is executed 9 times; when 1 92 bits, 11 times; and when 
256 bits, 13 times; and then in each case the final round processing is executed. Round keys generated at the key 
schedule unit 10 are Inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[0008] The key schedule unit 10 generates round keys based on the key generation schedule specified In the AES 
draft; that algorithm Is shown in FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndael, at http -7/csrc. nlst.gov/encryptlon/aes/rijndael/Rljn- 
dael.pdf) introduces 2 hardware implementations for AES block cipher circuits. 

[0010] One of these Is a method for hardware implementation, in 12B bit units, of ail the functions shown in FIQ. 1 
as they are (hereinafter, "conventional example 1 u ). In this case, for encryption and decryption, the order of processing 
of the functions Is reversed, and thus it is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[0011] Also, because, as shown in Table 1 , it is necessary to change the number of times round processing is exe- 
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cuted depending upon the key length, It is necessary to create circuits for each key length. 

[0012] Furthermore, because of the reversal of order between encryption and decryption, the order of key generation 
in the key schedule unit 1 0 for the round keys used in the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

5 a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[0013] The second method, as shown in FIG. 3 , Involves creating a coprocessor 50 that has a Byte Sub transformation 
unit 51 and a Mix Column transformation unit 52, and implementing in hardware only the Byte Sub transformation and 
the Mix Column transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] !n this case, Byte Sub transformation and Mix Column transformation, which are unsuited for processing by 
the CPU 40 for reasons of processing time, are implemented in hardware as the coprocessor 50, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher is to be incorporated Into a smart card or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of 

15 the circuit small. With these requirements, the conventionally proposed method of implementing all the functions in 
128-bit units results In the scale of circuit being too large : making the loading thereof onto a smart card difficult. With 
the method of Implementing In hardware only the Byte Sub transformation and the M|x Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

20 [0016] Moreover, with the key schedule unit 10 that generates the round keys, if all the round keys are stored in 
memory, a large-capacity memory is needed, and this would make the scale of circuit large. Therefore, in order to 
reduce the scale of circuit without reducing processing speed, it is desirable to generate round keys with a circuit 
constitution that does not require storing the entire expanded key in memory, 

25 SUMMARY OF THE INVENTION 

[001 7] It is an object of the present invention to present an encryption circuit that is small in scale and that can achieve 
a certain level of processing speed when implementing the AES block cipher 

[0018] The present invention provides an encryption circuit that generates from a cipher key a plurality of round keys 
30 having a number of bits corresponding to a predetermined processing block length and executing, for each processing 
block length, input data and round key encryption/decryption processing, by means of a round lunction unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round processing that includes Byte Sub transformation, Shift Row transformation, Mix Column transformation and 
Round Key Addition, wherein: 

35 the round processing unit comprises: a first selector that segments input data Into execution block lengths smaller than 
the processing block length; a first Round Key Addition circuit that adds the round key value to input data for each the 
execution block length; an intermediate register/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transformation using the processing block length; a Byte 
Sub transformation circuit wherein the intermediate register/Shift Row transformation circuit value Is Inputted for each 

40 the execution block length and Byte Sub transformation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transformation circuit value is inputted for each the execution block length and the 
round key value Is added for each the execution blocklength; a Mix Column transformation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs or the first selector, intermediate register/Shift Row 

45 transformation circuit, Byte Sub transformation circuit, or Mix Column transformation circuit. 

[0019] Here, the execution block length can be a multiple of 8 bits, the processing block length can be 128 bits and 
the execution block length can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 1 28 bits, 1 92 bits or 256 bits. 

[0021] Also, the Byte Sub transformation circuit can comprise a matrix operation unit for decryption that executes a 
50 matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
selector; a matrix operation unit for encryption that executes a matrix operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption. 
55 [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR circuit so as to perform 8-bit operations at one dock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perform 1-bit operations at one clock cycle. 
[0023] Also, the intermediate register/Shift Row transformation circuit can be usedforboth encryption and decryption 
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through the reversal of order of input of shift data relating to amount of shift for data to be inputted into the intermediate 
register/Shift Row transformation circuit, the input order for decryption being the reverse of the order for encryption. 
[0024] Further, the Mix Column transformation circuit can comprise a plurality of multiplication units with unique 
multipliers and an XOR circuit that performs XOR operations for the plurality of multiplication units, the Mix Column 

5 transformation circuit executing a matrix operation between data inputted Into each multiplication unit and the multiplier 
established for each multiplication unit. In this case, the Mix Column transformation circuit comprises 4 operation units 
having 4 multiplication units capable of 8-bit unit operations and XOR circuits that execute XOR operations based on 
the outputs of the 4 multiplication units. This multiplication units can control 2 multipliers and are used for both encryption 
and decryption and the multiplication units can be constituted to control addition values from high-order bits. 

10 [0025] Also, an encryption circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numbers corresponding to the execution block length, a 
plurality of round keys with bit numbers corresponding to a predetermined processing block length. The key expansion 
schedule circuit comprises: 

a fifth selector that segments a cipher key Into the number of bits corresponding to the execution block length and 
outputs the same; 

a shift registerto which flip-flop circuits are connected at a plurality of stages, the flip-flop circuits latching data In 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop circuit of the shift register with one constant 
selected from among a group of constants; 

a sixth selector Into which are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved in operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 

a seventh selector Into which the output of the sixth selector and the output of the Rot Byte circuit is inputted and 
which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of the seventh selector for each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processing circuit are 
inputted, and which selectively outputs one of these; 

a second XOR circuit that executes an XOR operation based on the output of the first XOR circuit and the output 
of the eighth selector; and 

a shift register unit selector that selectively outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, either the output of the second XOR circuit or the output of the adjacent stage 
flip-flop. 

[0026] Here, the shift register comprises 8 flip-flops executing data processing in 32-bit units, and the sixth selector 
is constituted so that the outputs of the second, fourth, sixth and eighth flip-flops from the bottom from among the flip- 
flops are inputted therein, and that it outputs one of these. 

^0 [0027] Also, through the input into the seventh selector of the output of the intermediate register/Shift Row transfor- 
mation circuit and the Input into the second selector of the output of the' Sub Byte processing circuit, a single circuit 
can be used for the Sub Byte processing circuit and the Byte Sub transformation circuit of the round processing unit 
[0028] From the following detailed description in conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become readily apparent to those skilled 

*s in the art 

BRJEF DESCRIPTION OF THE DRAWINGS 
[0029] 

FIG. 1 Is a block diagram of AES processing using the Rijndael algorithm; 
FIG. 2 is a key schedule program list; 

FIG. 3 is a block diagram showing one envisioned circuit implementation; 

FIG. 4 is a block diagram of a round function unit adopted In a first embodiment of the present invention; 
FIG. 5 is a block diagram showing an intermediate register/Shift Row transformation circuit; 
FIG. 6 Is a block diagram showing a Mix Column transformation circuit; 
FIG. 7 is a block diagram showing the constitution of a multiplication unit; 
FIG. B is a block diagram. showing another constitution of a multiplication unit; 
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FIG. 9 is a block diagram showing a key schedule unit; 
FIG. 10 is a block diagram showing a Byte Sub transformation circuit; 
FIG. 11 is a block diagram showing a matrix operation circuit for encryption; 
FIG. 12 is a block diagram showing a matrix operation circuit for decryption; 
s FIG. 13 is a block diagram showing another example of a matrix operation circuit for encryption; and 

FIG. 14 is a block diagram showing another example of a matrix operation circuit for decryption. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

10 Round Function Unit 

[0030] The AES block cipher Is an algorithm that encrypts/decrypts the 128 bit data with the 128 bit, 1 92 bit or 256 
bit key. As shown in FIG. 1, it comprises a key schedule unit 10 that generates a plurality of round keys from the cipher 
key, and a round function unit 20 that uses the round keys inputted from the key schedule unit 1 0 to encrypt and decrypt. 

is The round function unit 20 performs such processing as XOR operations, Byte Sub transformation processing, Shift 
Row transformation processing, Mix Column transformation processing, Round Key Addition processing. 
[0031] The first embodiment of the present Invention is a circuit for implementation of this round function unit 20, 
and the constitution of this circuit is shown In FIG. 4. Each circuit block executes 32-blt processing with the exception 
of Shift Row transformation processing, which is 1 28-blt processing; transfer of data between circuit blocks is executed 

20 in 32-blt units. 

[0032] This round function unit contains: an input register 201 that temporarily stores input data; a first selector 202 
that selects 32-blt data from the 128-bit input data; a second selector 203 Into one Input terminal of which the output 
of the first selector 202 is inputted; a first Round Key Addition circuit 204 into which the output of the second selector 
203 is inputted; an add data selector 205 that inputs into the first Round Key Addition circuit 204 an expanded key 

25 segment or "O*; an intermediate register/Shift Row transformation circuit 206 that stores the output value of the first 
Round Key Addition circuit 204 and executes Shift Row transformation in 128-bit units; a Byte Sub transformation 
circuit 207 into which intermediate register/Shift Row transformation circuit 20e values are inputted and which executes 
Byte Sub transformation; a second'Round Key Addition circuit 208 into which Intermediate register/Shift Row transfor- 
mation circuit 206 values are inputted for each 32 bits; an add data selector 209 which inputs into the second Round 

30 Key Addition circuit 208 an expanded key segment or "0"; and a Mix Column transformation circuit21 0 which executes 
Mix Column transformation on the output of the second Round Key Addition circuit 208. The outputs or the first selector 
202, Byte Sub transformation circuit 207, Mix Column transformation circuit 210, and. intermediate register/Shift Row 
transformation circuit 206 are inputted into the second selector 203, and one of these outputs is outputted to the first 
Round Key Addition circuit 204. 



35 



40 



45 



Operation Schedule during Encryption 

[0033] The operation schedule during encryption in the round function unit is shown in Table 2. 
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f Table 2] 



Round Function Operation Schedule 



40 



5 




Cycle 


Processing 






0 


000-003 


Round Key Addition 


a 


10 






tayte 5>uo l ransformatlon 


b 


T 


ooa 


Shift Row Transformation 


c 


15 






Mix Column Transformation 
Round Key Addition 


c 




mi— nic 
Ulo^Ulo 


Byte Sub Transformation 


b- 




2 


017 


Shift Row transformation 


c 


20 




Ulo— OZi 


Mix Column Transformation 
Round Key Addition 


c 






Omitted 






25 














#1 


Rvtn Si ih TrnrMfnrmatinn 
*-*y»*' muu i i ui » i or i n auon 


Q 




NH 


(Nr-1)*9-1 


Shift Row Transformation 


• c • 


30 




(Nr-1)*9 - 
(Nr-1)*9+3 


Mix Column Transformation 
Round Key Addition 


c 






#2 


Byte Sub Transf ormati o n 


b 


35 


Nr 


Nr*9-1 


Shift Row Transformation 


d 






Nr*9- 


Round Key Addition 


d 



#1:(NrH)*9-5-(Nr-1)*9-2 
#2:Nr*9-5-Nr*3-2 

Note: The table shows operations during encryption. 
In decryption, the order of round key and Mix 
Column processings is switched. 
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[0034] Here, in round 0, addition of an expanded key segment is executed by trie first Round Key Addition circuit 
204 with a selector position of w a" for the second selector 203. Input data in the input register 201 is selected In 32 bit 
units by the first selector 202 and Inputted into the first Round Key Addition circuit 204, and to this Is added a portion 
of a round key, inputted from the key schedule unit, this portion being a 32-bit segment of the expanded key. While the 
input data and the expanded key aro being changed into 32^bit units, the first Round Key Addition circuit 204 executes 
addition processing, and the XOR processing of the XOR unit 22 in FIG. 1 is thereby executed on 1 28-bit processing 
blocks In the 4 cycles of cycles 000 through 003. The result of the operation by the first Round Key Addition circuit 204 
Is stored in order In 32-bit units in the intermediate register/Shift Row transformation circuit 206. 
[0035] In round 1 , the round processing 23 in FIG. 1 is executed, and Byte Sub transformation processing 31 , Shift 
Row transformation processing 32, Mix Column transformation processing 33, and Round Key Addition processing 34 
are executed. Thus, first of all. in cycles 004 through 007, with a selector position of "b" for the second selector 203, 
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the data stored In the intermediate register/Shift Row transformation circuit 206, while being shifted in 32-blt units, is 
read out and inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by 
the add data selector 205 "0", the first Round Key Addition circuit 204 is put into a masked state. The result of the 
operations of Byte Sub transformation circuit 207 is stored In order in 32-bit units in the intermediate register/Shift Row 
5 transformation circuit 206. Thus Byte Sub transformation processing performs on 1 28 bits, and the result is stored in 
the intermediate register/Shift Row transformation circuit 206. ' 

[0036J Next, in cycle 008, Shift Row transformation processing Is executed. The intermediate register/Shift Row ■ 
transformation circuit 206 is capable of executing Shift Row transformation processing In 128-bit units, and in this cycle * 
008, 128-bit Shift Row transformation processing is executed. At this time, the selector position of the second selector 

10 203 may be any position, but in consideration of the processing in the next cycle, a position of "c" is preferable. 

[0037] In cycles 009 through 0012, Mix Column transformation processing and Round Key Addition processing are 
executed. Herein, the data stored In the intermediate register/Shift Row transformation circuit 206, while being shifted 
In 32-blt units, is read out and inputted into the second Round Key Addition circuit 208. At this time, by making the data 
to be selected by the add data selector 209 "O", the second Round Key Addition circuit 208 is put into a masked state. 

is By setting the selector position of the second selector 203 at V, the data upon which Mix Column transformation 
processing has been executed at the Mix Column transformation circuit 21 0 is inputted into the first Round Key Addition 
circuit 204 via the second se!ector203. An expanded keysegmentto be Inputted from the key schedule unit is selected 
for data to be selected by the add data selector 205, and this data undergoes Round Key Addition processing at the 
first Round Key Addition circuit 204. The result of the Mix Column transformation processing at the Mix Column trans- 

20 formation circuit 210 and the Round Key Addition processing at the first Round Key Addition circuit 204 are, while 
being each shifted in 32-bit units, stored in the intermediate registeryShift Row transformation circuit 206. Thus, the 
result of the 128 bits upon which Mix Column transformation processing and the Round Key Addition processing were 
executed in cycles 009 through 01 2 are 3tored in the intermediate register/Shift Row transformation circuit 206. In this 
manner, one round of processing is executed in the 9 cycles of cycles 004 through 01 2. 

25 [0038] Next, in rounds 2 through (Nr-1), the same processing as in round 1 is executed (however, Nr is the number 
of processing rounds including the final round, and as shown In Table 1 , the number of rounds will differ according to 
key length). 

[0039] In round Nr (the final round), the final round processing 24 of FIG. 1 is executed; this comprises Byte Sub 
transformation processing 35, Shift Row transformation processing 36 and Round Key Addition processing 37. 

30 [0040] Thus in cycles (Nr*9-5) through (Nr*9-2), with the selector position of the second selector 203 at "b", data 
stored in the intermediate register/Shift Row transformation circuit 206, while being shifted In 32-bit units, is read out 
and inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add 
data selector 205 "0\ the first Round Key Addition circuit 204 is put into a masked state: The result of the operation 
of the Byte Sub transformation circuit 207 is stored in order in 32-blt units in the intermediate register/Shift Row trans- 

35 formation circuit 206. Thus Byte Sub transformation processing of 1 28 bits is performed, and the result is stored in the 
• intermediate register/Shift Row transformation circuit 206. 
[0041] Next, In the (Nr*9-1 ) cycle, 128-bit Shift Row processing is executed. At this time, the selection position of 
the second selector 203 may be any position, but in consideration of the processing of the next cycle, a position of "d" 
is preferable; 

4o [0042] In the (Nr*9) through (Nr*9+3) cycles, Round Key Addition processing is executed. Specifically, by making 
the selector position of the second selector 203 M d tt , the data stored In the intermediate register/Shift Row transformation 
circuit 206, while being shifted in 32-bit units, is read out and Inputted into the first Round Key Addition circuit 204 via 
the second selector 203. At this time, by making data to be selected by the add data selector 205 an expanded key 
segment to be inputted from the key schedule unit, the first Round Key Addition circuit 204 adds 32-bit round keys. 

** The result of the Round Key Addition processing by the first Round Key Addition circuit 204 is stored in the intermediate 
register/Shift Row transformation circuit 206 while being shifted in 32-blt units. Thus in the (Nr*9) through (Nr*9+3) 
cycles, the resuit of the Round Key Addition processing on the 128 bits is stored In the intermediate register/Shift Row 
transformation circuit 206. in this manner, in the 9 cycles from (Nr*9-5) through (Nr9+3) f final round processing is 
executed. 

50 

Operation Schedule during Decryption 

[0043] Operations during decryption in this roundfunction unit are performed In the reverse orderto operations during 
encryption. This operation schedule is shown in Table 3. 
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